Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that the Canada Border Services Agency (CBSA) contravened the Privacy Act by collecting and using DNA from a complainant for genetic genealogy analysis to determine his nationality for deportation purposes. The OPC found that the CBSA contravened the Act by failing to obtain valid authorization for the indirect collection of the complainant's genetic information from FamilyTreeDNA (FTDNA), by improperly disclosing his personal information to other FTDNA users, and by failing to adequately describe the collection of relatives' genetic information in its public notices (PIBs).

• Was the CBSA's collection of genetic genealogy information directly related to its operations?
• Was the authorization for indirect collection from FTDNA valid?
• Did incidental disclosures of personal information contravene the Act?
• Were the transparency obligations under Section 11 met?

The spouse of a Correctional Services Canada (CSC) employee complained that the employee's manager inappropriately collected personal information about them from their public Facebook page in relation to the employee's use of "Other leave with pay (699)". The OPC found that CSC contravened section 4 of the Privacy Act by collecting information that was not related directly to an operating program or activity of CSC. The OPC also noted that CSC's ATIP office incorrectly advised the complainant on how to raise a privacy concern.

• Whether the collection of personal information from a public Facebook page was related directly to an operating program or activity of CSC.
• Whether information collected from a public source is exempt from the collection provisions of the Privacy Act.
• Whether CSC's ATIP office provided appropriate guidance to a member of the public wishing to raise a privacy concern.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint concerning the Immigration and Refugee Board of Canada's (IRB) improper disclosure of an employee's sensitive medical information to their management team. The IRB shared a "Fitness to Work" report containing intimate medical details without the employee's consent and beyond what was necessary for accommodation. The OPC found that while some information disclosure was consistent with the purpose of collection, the disclosure of highly sensitive medical information was not, thus contravening the Privacy Act. The IRB has since updated its policies and tools, but the OPC found the complaint to be well-founded and not adequately resolved, urging the IRB to implement its recommendations, including training and a meaningful apology.

• Whether the IRB obtained the complainant's consent to disclose their medical information.
• Whether the disclosure of the medical information in the FTW report to management constituted a "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• Whether the IRB's disclosure practices complied with the Treasury Board Secretariat's "Standard" on fitness to work evaluations.
• The adequacy of the IRB's response to the OPC's recommendations.

An individual complained that Transport Canada failed to publish a description of the Personal Information Bank (PIB) for its Incentives for Zero-Emission Vehicles Program. The investigation found that Transport Canada did not submit the PIB description for approval until 19 months after the program launched, and it was still not approved by the Treasury Board Secretariat (TBS) by the time the OPC's report was issued. Transport Canada has since confirmed the PIB has been approved and published.

• Failure to publish a Personal Information Bank (PIB) description for a program
• Timeliness of PIB approval and publication by government institutions and TBS
• Adequate notification to individuals about the collection and use of their personal information

Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.

• Was the disclosure of personal information authorized under the Privacy Act?
• Was the privacy breach considered "material" by TBS?
• Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?

Immigration, Refugees and Citizenship Canada (IRCC) inadvertently disclosed the email addresses of 636 individuals seeking emergency assistance related to the situation in Afghanistan. These individuals were included in the "TO" field of mass emails, rather than the "BCC" field, exposing their contact information to other recipients. The Office of the Privacy Commissioner of Canada (OPC) found that IRCC contravened section 8 of the Privacy Act due to insufficient controls to prevent such disclosures and that the complaint was well-founded. While IRCC took immediate steps to mitigate the breach, the OPC emphasized the need for robust preventative measures.

• Disclosure of personal information without consent
• Adequacy of preventative measures for mass emails
• Mitigation of harm to affected individuals
• Risk of recurrence of similar breaches

The Office of the Privacy Commissioner investigated a complaint where the Canada Border Services Agency (CBSA) disclosed a workplace review report containing an individual's personal information to the Information Commissioner. The OPC found that while disclosing information related to the complainant's access to information requests was a consistent use, disclosing the workplace review report was not. The CBSA contravened the Privacy Act by disclosing this report without consent and for a purpose inconsistent with its original collection.

• Whether disclosing a workplace review report to the Information Commissioner constituted a 'consistent use' under paragraph 8(2)(a) of the Privacy Act.
• The distinction between information collected for managing workplace conflict versus information collected for responding to access to information requests.
• Whether the CBSA reasonably expected the disclosure of the workplace review report.

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.

The Department of National Defence (DND) disclosed the identity of a workplace violence (WPV) complainant and the investigation report to a second investigator, who was conducting a separate administrative investigation into the complainant's conduct. The OPC found that while disclosing the report to labour relations was a consistent use, disclosing it to the second investigator was not, as it was not a reasonably expected use of the information given the confidentiality assurances provided to the complainant. This disclosure was therefore found to be a contravention of the Privacy Act.

• Was the disclosure of the WPV complainant's identity and report to a second investigator a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Did DND's consent form clearly communicate potential uses and disclosures of the complainant's identity?
• Did the disclosure align with the reasonable expectations of the complainant regarding confidentiality?
• What corrective actions are necessary to ensure future compliance with privacy principles in WPV investigations?

The Office of the Privacy Commissioner of Canada investigated the RCMP's collection of personal information from Clearview AI, a company that scraped billions of images from the internet for facial recognition. The OPC found that the RCMP contravened the Privacy Act by collecting this information, as Clearview had collected it unlawfully. While the RCMP disagreed with this finding, it agreed to implement the OPC's recommendations to improve its policies and systems for tracking and assessing novel collections of personal information.

• Whether the RCMP's collection of personal information from Clearview AI related directly to an operating program or activity of the institution.
• Whether the RCMP had adequate controls in place to prevent future contraventions of the Privacy Act.
• The lawfulness of Clearview AI's data collection practices.
• The adequacy of the RCMP's assessment of privacy risks associated with new technologies.

This report follows up on an earlier investigation into Statistics Canada's Financial Transactions Project and Credit Agency Data Project. While the initial investigation found no contraventions, it raised significant privacy concerns. This compliance monitoring report assesses whether Statistics Canada’s redesigned projects adequately incorporate the principles of necessity and proportionality. Although Statistics Canada has made progress in reducing the scope of data collection and implementing privacy-enhancing measures, the report concludes that the project plans still fall short in adequately describing public goals, demonstrating effectiveness, and analyzing privacy impacts.

• Adequacy of public goal descriptions for necessity and proportionality assessment.
• Demonstration of project effectiveness.
• Sufficiency of privacy impact analysis, including risk of harm.
• Alignment of Statistics Canada's necessity and proportionality framework with OPC criteria.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an employee of a federal institution who alleged a breach of privacy. The employee's personal information regarding her transgender identity and the reasons for her transfer were disclosed to her new supervisor and colleagues without her consent, despite assurances of confidentiality. The OPC found this disclosure contravened the Privacy Act.

• Disclosure of personal information without consent
• Confidentiality of transgender status
• Application of the Privacy Act

Three individuals complained that the RCMP used non-conviction information in vulnerable sector (VS) checks without their informed consent. The OPC found that the RCMP contravened the Privacy Act in two of the three cases because the consent forms did not clearly explain what types of non-conviction information would be reported. The OPC also determined that the RCMP's policy of broadly reporting non-conviction information, including mental health incidents, was not proportional or minimally intrusive. The RCMP agreed to revise its consent forms and policies.

• Adequacy of informed consent for the use of non-conviction information in vulnerable sector checks.
• Proportionality and minimal intrusiveness of reporting non-conviction information, including mental health incidents, in vulnerable sector checks.
• Compliance with record retention requirements under the Privacy Act.
• Consistency of RCMP policies and practices across different provinces.

This report details a review of passport protection practices by four federal institutions: IRCC, ESDC, GAC, and CPC. While the institutions generally had reasonable measures to prevent unauthorized passport disclosures, the review identified areas for improvement in incident detection, remediation for affected individuals, and learning from past breaches. The institutions agreed to implement the OPC's recommendations to enhance these processes.

• Adequacy of measures to prevent unauthorized disclosure of passports
• Effectiveness of incident detection mechanisms
• Sufficiency of remediation measures for affected individuals
• Processes for learning from past passport breach incidents

Public Services and Procurement Canada (PSPC) improperly disclosed pay-related information for 69,087 public servants to the wrong government institutions. An investigation found that PSPC contravened the Privacy Act due to this unauthorized disclosure. However, the complaints are considered resolved because PSPC took satisfactory corrective actions to remedy the vulnerabilities that caused the breach and notified affected individuals.

• Unauthorized disclosure of personal information
• Adequacy of PSPC's response to the breach
• Timeliness and completeness of notification to affected individuals
• Implementation of corrective measures to prevent recurrence